requireBearerAuth or optionalBearerAuth. The middleware calls it on each request to validate the bearer token before any tool runs.
Example
verifyAccessToken validates the token however your provider requires, returns an AuthInfo for a valid token, and throws InvalidTokenError otherwise. Pass it to the middleware as verifier: { verifyAccessToken }.
How you validate the token depends on your provider. Check its docs.
verifyAccessToken
- Resolve with an
AuthInfofor a valid token. The middleware puts it onextra.authInfofor tool handlers. - Throw
InvalidTokenErrorfor a malformed, badly signed, or expired token. The middleware returns a 401 with the rightWWW-Authenticateheader.
requiredScopes against authInfo.scopes and returns a 403 on a missing scope.
AuthInfo
What verifyAccessToken resolves with for a valid token.
| Field | Purpose |
|---|---|
token | The raw bearer token. |
clientId | The OAuth client_id, often the azp or client_id claim. |
scopes | The scopes granted, checked against requiredScopes and per-tool securitySchemes. |
expiresAt | Expiry in unix seconds. Required: tokens with no expiration are rejected. |
extra | Anything else you want available to handlers, for example sub or email. |
requireBearerAuth
Require a token on every request
optionalBearerAuth
Accept a token when present, allow anonymous otherwise
Authenticate Users
Add sign-in to your app end to end